Protection, standardisation and the establishment of safe working environments… These are the key reasons why the healthcare sector is highly regulated, driving reliable public health and welfare. As the world continues to digitise, healthcare providers face growing compliance obligations.
Several pieces of South African legislation govern credit compliance, relevant to this sector. The National Credit Act, for example, describes which particulars need to be included on every credit agreement. It confirms that, when using an advanced electronic signature or an electronic signature, it is the credit provider’s responsibility to take reasonable measures to prevent the use of the consumer’s electronic signature for any purpose other than the signing or initialling of the particular document that the consumer intended to sign or initial.
To comply, the signature must be created in line with Section 37 and 38 of the Electronic Communications and Transactions Act (25 of 2002), which confirms the criteria for accreditation of an electronic signature by the Accreditation Authority. This includes that the signature must be uniquely linked to the signer; the signer must be identifiable; the signature must be created under a means that can be maintained under the sole control of the signer; and it must be linked to the data in such a way that subsequent change of data is detectable.”
The question now is, how can this be achieved? Carrie Peter, Managing Director of Impression Signatures – an EOH Company – confirms that compliance requires two key elements; consent (a party’s provable intent to agree or contract) and an agreement (such as a quote, NDA, employment letter purchase order approval, etc.).
“The intersection of privacy and proof of intent is critical. To ensure compliance, healthcare providers must keep a record of any consent, agreement, or notification. To avoid negative legal implications, the provider should not use consent where a contract is more suitable. Providing a closed loop process where agreements cannot be altered is best practice, and tracking signatory’s interactions with the agreement to prove intent is essential.”
When healthcare providers contract with patients, staff or stakeholders, identity is a crucial element to compliance. Peter confirms that compliance and trust require that all parties are identified. When applying an eSignature, providers must ensure that all parties to the contract are identifiable for the contract to be valid. This requires that the provider knows the customer or intended signatory and ensures that it is only made available to them. Here layer controls must be imbedded to ensure that only the signatory can access the document and apply their signature.
Once the document has been signed, any alteration must be restricted. “Technical controls must be in place to ensure integrity and the document must be stored in an immutable format, like PDF,” advises Peter. “The completed document must also be digitally signed to prevent tampering, with the capabilities needed to clearly highlight any attempts at alteration or tampering after signing.”
She adds that the onus is on the healthcare provider to provide proof of compliance. To deliver on this onus, the provider must fully understand consent and agreement requirements within its existing processes and solutions, and provide technical proof of the signing process, workflow, and signatory interactions. “Here technical audit trails must be easily understandable through the use of an eSignature platform that offers a Chain of Custody Certificate.”
The legal requirement to store medical records is binding, and compliance is essential. For medical interventions that fall under the Occupational Health and Safety Act (85 of 1993), for example, health records must be kept for 20 years after treatment. This clearly requires that medical records must be securely stored for the required legislated period.
“Medical information is deeply sensitive and must be secured. Providers must be aware of which data must be kept, and for what period of time. It is as important to store the information for the right period of time as it is to destroy the information once it is beyond its useful life or required period,” concludes Peter. “Healthcare providers must also utilise secure networks, systems, and storage infrastructure appropriately to prevent cyber incidents.”